Abstract

Distributed Denial of Service (DDoS) attacks are the major threat to the current internet world. Source IP Address spoofing in one of the approach to perform Distributed Denial of Service (DDoS) attacks. In this scenario the packet true origin is difficult to identify. Thus the defense against the Distributed Denial of Service (DDoS) attack is very complex to handle. We propose a novel scheme which is based on a firewall. This firewall can distinguish the attack packets from the packets sent by legitimate users based on the marking value on the packet, and thus filter out most of the attack packets. Compared to other packet-marking based solutions, our scheme is very effective and has a very low deployment cost. In the implementation of this scheme we would require the cooperation of only about 10% of the Internet routers in the marking process, and server to generate encrypted marking for secured transmission. The scheme allows the firewall to Detected and prevents the DDoS attacks from the first packet itself.